This article was previously published under Q253512
This article has been archived. It is offered "as is" and will no longer be updated.
When you upgrade your Microsoft Windows NT 4.0 domain to Windows 2000 Active Directory and you click to clear the User cannot change the password check box in Active Directory, the user may still be unable to change his or her password. In addition, the Active Directory user interface shows that the check box is cleared, but the user cannot change the password.
This behavior occurs when you turn on the User cannot change the password option in Windows NT 4.0. This action creates a denied Access Control Entry (ACE) for changing the password, and removes the allowed ACE for changing the password. After you upgrade to Active Directory and you turn off the User cannot change the password option, the user interface removes the denied ACE but does not add the allowed ACE.
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
NOTE: To view the version, right-click the file in Windows Explorer, click Properties, and then click Version.
Microsoft has confirmed that this is a problem in Microsoft Windows 2000. This problem was first corrected in Windows 2000 Service Pack 1.
When you turn off the User cannot change the password option after the upgrade, look for the allowed ACE in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Add the allowed ACE if it is absent, and then remove the denied ACE.